diff --git a/configs/litespeed/httpd_config.tpl b/configs/litespeed/httpd_config.tpl
index 0e3d050..7d25bc8 100644
--- a/configs/litespeed/httpd_config.tpl
+++ b/configs/litespeed/httpd_config.tpl
@@ -10,6 +10,21 @@
 ## envsubst. Templated vars: $user $domain $vhost_map_aliases $PHPVER
 ##                           $LSAPI_CHILDREN (computed by detect-memory-litespeed.sh)
 
+## --- real client IP behind HAProxy ---
+## OLS equivalent of the Apache cac:phpNN mod_remoteip wiring
+## (configs/remote_ip.conf + RemoteIPInternalProxy in entrypoint.sh). Without
+## this, OLS records HAProxy's docker-bridge IP as the peer: every site's
+## access_log and lsphp $_SERVER['REMOTE_ADDR'] collapse to one internal IP,
+## silently breaking traffic analytics, WP security plugins, brute-force
+## detection, Coraza source-IP correlation, geo, and rate-limiting.
+##   1 = trust X-Forwarded-For (the container is only reachable via HAProxy;
+##       it is never bound to a public address). Mirrors the Apache side, which
+##       trusts the whole docker subnet via RemoteIPInternalProxy $docker_network.
+## When enabled, OLS rewrites the remote IP for BOTH logging and the LSAPI
+## REMOTE_ADDR before PHP sees it — so the default access_log format already
+## records the real visitor; no LogFormat change needed.
+useIpInProxyHeader        1
+
 ## --- our listeners (replace stock Default :8088) ---
 listener HTTP {
   address                 *:80